One.one.one.one fingerprint mismatch

This means that there is no way of verifying the validity of the the certificate correct?

Is it not possible to just check whether the certificate got issued by a trusted CA and if *.one.one.one is in the DNS name of the certificate?

That is what GRC web site https://www.grc.com/fingerprints.htm does but cloudflare site is the only one that it does not verify that I am aware.

Cloudflare actually verifies just fine. And the reason why you believe it is not, has actually been already explained a month ago. More than once.

As @domjh said, we are going in circles again.